Hello, welcome to the Friday, January 15th, 2021 edition of the Sandtonet Storm Center's Stormcast. My name is Johannes Ulrich, and then I'm recording from Jacksonville, Florida.

So yesterday, I talked about Hankitovich, was sort of a run-of-the-mill malware that relied on the victims to enable macros and very typical

sort of mass emailed malver. Well, today we sort of have the counterpart, Boyan, as part of his

day job ran into an Excel spreadsheet that was used in a spearfishing attack and, well, also relied on the victim-enabling

macros.

Now, this was one of those Excel for macros, as it turned out, and a bit difficult or

more difficult than usual to actually analyze.

In these targeted attacks, you often, of course, find more custom methodologies being used in order to evade various defenses, and this is essentially what Boyan had to deal with here,

and he's walking you step by step through how he solved the various challenges

that the attacker put up here in order to prevent reverse analysis of the malware.

In the end, Boyan had to resort to dynamic analysis, which essentially just means you run the

macro and see what it does. So often you're often you're using debuggers for Excel for Macro as well.

There isn't really sort of a debugger per se.

So Boyan shows how he coerced Excel into essentially acting as a debugger, inserting breakpoints

by taking advantage of the halt command that's available

in Excel. So of course, if you render something similar, let us know and let us know if you

find this particular article helpful. Then we've got an interesting vulnerability that's currently

unpatched and exploitable in Windows

that appears to corrupt NTFS volumes, but actually a reboot usually fixes the problem.

So as soon as, for example, you're changing to a directory with that name, even if the directory doesn't

exist, you are getting an error message saying that the file or directory is corrupted

and unreadable and the system will reboot.

...